By Steve Ragan Apr 12, 2007, 9:00 GMT
Mati Aharoni, of offensive-security.com posted an email to Full Disclosure on April 9, 2007. The email was later archived by the Security Vulnerability website (securityvulns.com). That is important for this story because of the content of the email. The email disclosed three Microsoft Word 2007 vulnerabilities and one that exploits Windows HLP files.
Now there is two points to this story that are circulating on the web. One of them is false. These exploits were released before the Microsoft Patch Tuesday releases, not on the same day as the patches, or after. The included files reportedly fail to do anything serious, in fact did exactly as promised. “My 7 line python fuzzer found several file format bugs in 3 hours. Quite alarming,” said Aharoni, “No deep analysis was done; I leave that to the community.” Analyze is exactly what the community including Microsoft did.
Regarding the Word files included with the announcement by Aharoni, Microsoft said in a statement they fail to “demonstrate any vulnerability in Word 2007 or any Office 2007 products.” Perhaps the files are touch and go but when tested by several people all three Word files acted as advertised. (M&C tested these files on Windows XP SP2 with all patches, one failed to work, while two crashed Word. The HLP file yielded no results. It is assumed testing variables used were not the same as those used by the vulnerability author.)
The vulnerabilities reported by Aharoni include, a crash in wwlib.dll caused by an unspecified overflow error. CPU exhaustion shooting the CPU to one hundred percent usage, as well as Denial-of-Service by crashing Word, out of the three Word files the last flaw was reported in two of the files. In addition, there is also an heap-overflow error that is ‘Funky’ according to Aharoni, and is rather familiar according to his disclosure.
While Microsoft screams false, they ignored the fact that there are patterns that come with their release schedules. As soon as they offer their patches, new exploits and code that targets Windows are released. This is one reason many security experts call for them to change their update release schedule, and offer more out-of-cycle patches for critical exploits.
The recent Windows threat, the .ANI exploit, started gaining momentum early this month, currently there are over two thousand websites hosting Malware that takes advantage of the animated cursor vulnerability in Windows. Microsoft took five months to release a fix for the exploit that affected thousands of people to date. This is one reason for the demand for them to change the patch release cycle. Aharoni’s archived post to Full disclosure is located here: http://securityvulns.com/Qdocument628.html
Your Talkback on this Story